Handling cases where the SNI server name does not equal the HTTP request host/authority

[johnbellessa]

Hello,

My apologies if this has been addressed in the spec or elsewhere, but haven't been able to find anything. Basically, it seems like the spec describes what to do if a request's SNI server name matches a different Listener than request's host/authority.

In particular, the spec says:

• If another Listener has an exact match or more specific wildcard entry,
  the Gateway SHOULD return a 421.
• If the current Listener (selected by SNI matching during ClientHello)
  does not match the Host:
  • If another Listener does match the Host the Gateway SHOULD return a
    421.
  • If no other Listener matches the Host, the Gateway MUST return a
    404.

My first question is to clarify the meaning of the first bullet:

If another Listener has an exact match or more specific wildcard entry, the Gateway SHOULD return a 421.

Does this mean that if the Listener selected by matching the SNI server name ALSO matches the request host, BUT the request host also matches a Listener with a more specific hostname, then the gateway should respond with 421?

My second question is what should the behavior be if the SNI server name and request host are different values but have the same most-specific matching Listener?

The fact that this case isn't mentioned in how to handle misdirected requests makes me think the Gateway should treat it as though the server name and request host values are equal. Is that correct?